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<g) The system comprises a pair of error checfcing 
processors connected in a master/slave configuration 
such that the slave receives inputs and outputs of 
the master, mimics operation of the master based on 
the inputs to produce mimicked outputs, compares 
the mimiclced outputs with the master outputs and 
indicates an error condition if the mimicked outputs 
do not equal the master outputs. A checking circuit 
2 forces a difference between the mimicked output 
^ and the master output and determines If the master 
^ slave configuration accurately determines the pres- 
^ ence of the forced error. 
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This invention relates to fail-safe computer sys- 
tems and particularly to such systems in which a 
slave computer or microprocessor monitors the op- 
eration of a master computer or microprocessor 
and outputs an error condition signal when an error 
is detected. 

It has become quite common to use redundant 
processors to provide a fail-safe mode of operation. 
The master processor executes programs and the 
slave processor mimics the operation of the master 
processor. The slave receives the same inputs as 
the master and has its output drivers disabled. The 
output pins of the slave are connected to the 
master's. By comparing the internally generated 
input to its output drivers to the outputs of the 
master processor, the slave performs a compre- 
hensive check of the operation of the master pro- 
cessor. If a discrepancy is detected, an error signal 
is generated. 

A master/slave combination can operate prop- 
erty for years t)efore an error condition Is encoun- 
tered. During this period. It would be desirable to 
determine If the master/slave configuration is per- 
forming its proper error monitoring function. How- 
ever, presently, there is no known system or meth- 
od for checking the error detecting operation of a 
master/slave combination within a simple 
master/slave checking system such as used in the 
AM 29000 microprocessor produced by Advanced 
Micro Devices of Sunnyvale, California, where the 
slave snoops the master output. 

In the present specification there is described a 
system whereby the proper operation of a 
master/slave combination can be determined. 

There is further described a checking system 
for master/slave operation which can carry out its 
function without hindering the normal program ex- 
ecution carried out in a master/slave configuration, 
the system using relatively few components in an 
expeditious and cost-effective manner. 

In one embodiment the present invention com- 
prises a pair of error checking processors con- 
nected in a master/slave configuration such that the 
slave receives inputs and outputs of the master, 
mimics the operation of the master based on the 
inputs to the master to produce mimicked outputs, 
compares the mimicked outputs with the master 
outputs and indicates an error condition if the mim- 
icked outputs do not equal the master outputs. The 
embodiment also includes a checker for forcing a 
difference between the mimicked outputs and the 
master outputs. 

In accordance with other aspects of the inven- 
tion, the checker comprises an input for receiving 
data input to tiie m^er and passing the data to 
Inputs of the slave. The checker selectively alters 
tiie data before passing it to the slave so that the 
inputs to the master and the slave differ. 



The data alteration carried out by the checker 
can comprise alteration of a single bit of one data 
word. 

The single bit can be tiie least significant bit of 

5 the data word. 

In accordance with further aspects of the inven- 
tion, the system can include a program for shifting 
and masking to set the altered bit in the address, 
data, or control fields in order to test the system's 

10 response to errors occurring in different bit loca- 
tions. The program can perform this test for re- 
sponse to errors at an arbitrary rate, say from once 
a day to many times per second. 

Another aspect of the invention is the method 

T5 of checking the operation of a master/slave proces- 
sor system by fordng a difference between the 
outputs of the master and slave processors and 
detecting the error condition output of the 
master/slave configuration. 

20 In the accompanying drawings, by way of ex- 

ample only: 

Rgure 1 is a block diagram of a master/slave 
system embodying the present invention; 
Rgure 2 Is a block diagram of the data altering 
25 circuit of the checker of Rg. 1 : 

Rgure 3 is a block diagram of the monitoring 
circuit of the checker; 

Rgure 4 is a flowchart of the token generation 
operation; and 

30 Rgure 5 is a flowchart of the checking opera- 
tion. 

With reference to Rgure 1, it will be seen that 
the system comprises a master microprocessor 10, 
such as a model Am29000 32-bit Streamlined In- 

35 struction Processor produced by Advanced Micro 
Devices (AMD) of Sunnyvale. California and a slave 
processor 12 which can also be an AMD Model 
Am29D00. The master and slave processors are 
connected in a conventional manner with the test 

40 pin of the master processor grounded and the test 
pin of the slave processor connected to Vcc- In this 
configuration, the master executes program instruc- 
tions and outputs data on Its address bus 14, 
control bus 16, and data bus 18. Buses 14, 16, and 

45 18 are connected to the address output A. the 
control output CTL. and the data output D of slave 
processor 12. Slave processor 12 mimics the mas- 
ter processor 10 by executing the same program 
steps to produce a mimicked output. However, the 

50 output drivers of the slave processor are disabled 
so that the mimicked output never appears on the 
slave output pins. The slave processor 12 com- 
pares its mimicked output with the master output. If 
a difference Is noted, an error condition signal is 

55 asserted on master/slave error line 20. 

The system also Includes a main memory 22 
which is connected to buses 14, 16, and 18 in a 
conventional manner. These buses provide ad- 
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dress, control, and data field signals to the memory 
for accessing information In the memory. An acces- 
sed instruction Is provided by memory 22 on in- 
struction bus 24. At the same time, when an in- 
struction request has been fulfilled by the memory 
22. an instruction ready signal (IRDY) is output on 
instruction ready line 26 by the main memory. This 
type of operation Is conventional and will not be 
discussed in further detail. 

In a conventional master/slave configuration, 
the instruction bus 24 Is connected to the instruc- 
tion input I of master microprocessor 10 and slave 
microprocessor 12. However, in accordance with 
the present invention, this connection is altered 
with respect to the slave microprocessor 12 only. 
In other words, the bus connections to master 
microprocessor 10 are made in a conventional 
manner but the connection to slave microprocessor 
1 2 is not conventional. 

In the AMD Am29000 microprocessor. 32 bit 
words are used. Therefore, the instruction bus 24 
contains 32 bit lines. All of these are Input to the 
master microprocessor 10. However, only 31 of the 
32 bit lines in bus 24 are connected directly to 
slave microprocessor 12. The other bit line 24i is 
connected to checker circuit 30. This bit line pref- 
erably carries the least significant bit of the word. 
This bit is selectively altered in checker circuit 30, 
as will be discussed below, and the altered bit is 
passed out on line 24'i which is provided to slave 
processor 12 to make up a full 32 bit word. 

In accordance with the invention, one global 
register of each of master processor 10 and slave 
processor 12 is set aside for use in checking the 
operation of the master/slave system. These global 
registers, indicated generally as GR1, are des- 
ignated 40 and 40' in the master and slave micro- 
processors 10 and 12, respectively. 

As discussed above, checker 30 functions to 
provide words to registers 40 and 40* which differ 
by one bit. This operation is carried out by the 
circuit shown in Rgure 2 which is incorporated in 
the checker 30. This drcuit comprises a latch 42 
which can be a conventional flip-flop. Latch 42 has 
an inverting output on line 43 connected to one 
input of AND gate 44. The otiier input of AND gate 
44 receives line 24i which has the least significant 
bit of bus 24. The output of AND gate 44 is on line 
24'i which comprises the least significant bit input 
to slave microprocessor 12. 

In operation, during system initialization such 
as when the system is initially turned on, a reset 
signal is provided to all latches to place them in 
their initial states. This operation, which is conven- 
tional in microprocessor systems, causes a reset 
signal to appear on line 46, setting latch 42. This 
deasserts the output on line 43 disabling AND gate 
44. This forces the output of gate 44 low regardless 



of the input on line 24t. 

The word stored in registers 40 and 40* is 
referred to as a checking token. The software for 
generating this token is depicted in the flowchart of 
5 Figure 5. Step 50 indicates power being turned on 
to the system. Step 51 is a reset routine which 
causes the reset signal to be applied to all internal 
and external latches. This produces the signal on 
line 46 of Figure 2. Step 52, the first program step 

10 after initialization, commands an instruction fetch 
from main memory 22 to the first predetermined 
global register GR1 . This instruction fetch accesses 
a 32 bit register in memory 22 containing a 1 as 
the least significant bit. The fetched constant Is 

75 transferred through bus 24 to master microproces- 
sor 10 and is written Into the predetermined global 
register, which is register 40 in the master proces- 
sor. This microprocessor then contains the correct 
token value. All bits except the least significant bit 

20 of bus 24 are written into the conresponding global 
register 40' of microprocessor 12. The least signifi- 
cant bit received by microprocessor 12, however, 
is a zero on line 24t' tiiereby assuring a one bit 
difference t)etween the values in register 40 and 

25 40*. After the fetched value is made available by 
main memory 22, a signal is asserted on line 26 to 
microprocessors 10 and 12 indicating that the in- 
struction fetch has been completed. As shown in 
Rgure 2, this signal resets latch 42 to provide a 

30 high signal on the inverting output of line 43. This 
enables gate 44 to pass whatever value is received 
on line 24i . Thus, any future instruction fetches will 
result in the same values being applied to master 
microprocessor 10 and slave microprocessor 12. 

35 As further shown in Rg. 5. Instruction 53, which 

follows tile resetting of latch 42. commands the 
same instruction fetch, but to a different global 
register GR2. Thus, both processors have one reg- 
ister containing the correct fetched value, for rea- 

40 sons to be discussed. The microprocessors con- 
tinue to execute program steps as shown in step 
54 of Rgure 5. 

Rgure 3 shows a block diagram of the portion 
of the checker circuit 30 used to confirm the proper 

45 operation of the master/slave combination. This cir- 
cuit includes a control field register 60. an address 
field register 62 and a data field register 64 con- 
nected, respectively, to the control bus 16, address 
bus 14, and data bus 18. A conventional decoder 

50 66 is also connected to the control bus 16 and 
address bus 14. A first output 68 from tiie decoder 
connects to a read/write input of the control field 
register 60, a second output line 70 connects to a 
read/write input of the address field register 62 and 

55 a third otitput 72 connects to a read/write input of 
data field register 64. When an output is asserted 
on a line 68, 70, or 72 the associated register is 
placed in a write condition to accept data. Other- 
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wise, the associated register is in a read condition, 
making its contents available on its output 61, 63 or 
65. 

Decoder 66 is under program control of the 
master slave combination. It is used to load the 
registers 60. 62 and 64 with the control, address 
and data field of the token to be used in checking 
the master slave operation, as discussed below. 

Comparators 80, 82, and 84 are associated, 
respectively, with the control field register 60, ad- 
dress field register 62, and data field register 64. 
Each comparator receives one input from the asso- 
ciated register and another input from one of the 
buses 16. 14. and 18. For example, comparator 80 
receives an input on line 61 from the control field 
register 60 and another input from the control bus 
16 to compare words on each of these inputs. If 
the comparison indicates a match, an output is 
asserted on line 92. In like manner, if comparator 
82 finds a match between an input on line 63 from 
address field register 62 and address bus 14. an 
output is asserted on line 96. Rnally. a similar 
operation Is performed by comparator 84 which 
compares inputs on line 65 and bus 18 to assert an 
output on line 102. Lines 92. 96, and 102 are 
connected to inputs of an AND gate 104 which 
asserts an output on line 106 when a complete 
match of all fields is indicated. A complete match 
of this nature indicates the master slave checking 
token is being output on busses 16. 14, and 18. 

A fourth output of decoder 66 asserts a signal 
on a line 112 in response to an input commanding 
a checker enable condition. This checker enable 
condition will be commanded after registers 60, 62 
and 64 are loaded. Line 112 Is connected to the set 
input of a latch 114 whose non-inverting output is 
connected to an input of AND gate 116 through line 
115. The other input to AND gate 116 is line 106. 
The output of AND gate 1 16 is taken on line 118 to 
AND gate 120. This output indicates that a forced 
error should be sensed by the slave processor. 
The other input to gate 120 is the master/slave 
error indicator line 20 from slave microprocessor 
112. Gate 120 asserts an output on line 121 when- 
ever a forced error is properly detected by the 
slave processcH-. 

The signal on line 121 may be provided to the 
set input of a latch 122 where it is held for further 
processing. Latch 122, therefore, asserts an output 
on line 130 whenever the slave processor has 
properly detected a forced enror. This output is 
provided to a circuit 132 which may process the 
signal on line 130 and sound an alarm if a forced 
error Is not properly detected. Upon each occur- 
rence of a properly detected forced error, circuit 
132 will reset latch 122 through line 134. 

Line 106 is also connected to a delay flip-flop 
136 which delays the signal on line 106 by one 



clock cycle. The delayed signal is passed to one 
input of an OR gate 124 whose other input is 
connected to reset line 46. The output of gate 124 
is connected to the reset input of latch 114. Thus. 
5 latch 114 will be reset upon initialization of the 
system as well as one clock cycle after a match is 
sensed by AND gate 104. 

In operation, the software being run In the 
microprocessors accesses the registers 60, 62, and 

10 64 by conventional means through address and 
control buses 14 and 16 and decoder 66. The 
accessed registers are loaded with the control, 
address and data fields on which the checker token 
is to be output Subsequently a checker enable 

IS condition is commanded causing a signal to be 
asserted on line 112 which sets latch 114 to enable 
a checking operation. The output of latch 114 en- 
ables gate 116 to pass any signals on line 106 
when they occur. 

20 Subsequent to loading the register 60. 62. and 
64. and commanding a checker enable condition, 
the program externalizes the word in register 40 
through the appropriate confroi, address, and data 
fields previously stored in registers 60. 62 and 64. 

25 When the token appears on busses 16, 14. and 18, 
a match is indicated on lines 92, 96 and 102, 
causing an output on line 106 from gate 104. An 
output of gate 104. therefore. Indicates that the 
token has been externalized and that the slave 

30 processor should be sensing and indicating an 
error. 

The output on line 106 is passed by gate 116 
to gate 120 which also receives the error condition 
output signal on line 20. If the slave has properly 

35 detected the mismatch between its mimicked out- 
put and the master output, a signal will t>e asserted 
on line 20 causing an output on line 121. This 
output indicates proper operation of the 
master/slave combination. 

40 The output on line 121 can be monitored by 
any convenient system, such as by setting latch 
122 and causing a signal on line 130 to be passed 
to circuit 132 to indicate proper operation. Subse- 
quently, circuit 132 will reset latch 122 when it has 

45 processed the received signal. Circuit 132 may. for 
example, initiate a checking sequence by sending 
an interrupt signal to the processors 10 and 12 at 
predetermined periods and then indicate an error if 
no response is received on line 130 within another 

50 predetermined period. Such a drcuit could be im- 
plemented by a timer which is restarted at pre- 
determined periods by a signal which is sent to the 
master slave/combination as an Interrupt, sets an 
alarm when it times out and Is reset by the signal 

65 on line 130 to reset latch 122. 

Rgure 5 shows a flowchart of the program 
enabling the system to check the operation of the 
master/slave configuration for all output bits. Step 
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150 indicates an intenrupt which begins operation 
of the checking program. This intenupt can be 
applied on a periodic basis, for example, once 
every 5 milliseconds by circuit 132. It will be re- 
membered that at this point, the system has been 
tumed on so that the program of Figure 4 has 
already been run and the token is stored in regis- 
ters 40 and 40' with a one bit deviation. Step 152 
of the program of Figure 5 produces a shift and/or 
mask operation to move that one bit to a new bit 
location such that each time the program of Figure 
5 is run, a comparison will be made with the 
incorrect bit in a different location. This results in 
the incorrect bit appearing at each output pin dur- 
ing different executions of the program. Step 153 
then loads the contents of the second global regis- 
ter to the checker. As will be recalled, the second 
global register contains the correct representation 
of the token in both the master and slave proces- 
sors. This enables the token to be loaded into the 
checker registers without causing an error condition 
output in the slave processor. As part of step 153. 
the checker enable condition as comanded after all 
registers in the checker circuit 30 are loaded. In 
step 154, the token in register GR1 is externalized 
by an appropriate load, jump or other instruction 
requiring the token to appear on the output pins of 
the master. This should cause an error condition to 
be detected by the slave. If not. the checker 30 will 
produce an appropriate response in the form of an 
alarm or other error condition signal. 

The foregoing description is intended to illus- 
trate the present invention but is not intended to 
limit the scope of protection being sought. Clearly, 
numerous additions, changes, substitutions and the 
like could be made to this preferred embodiment 
without departing from the scope of the invention 
as set forth in the appended claims. For example, 
the least significant bit could simply be inverted 
rather than forced to zero, or the entire token 
passed to slave 12 could be inverted from that 
passed to master 10 and multiple checkers could 
be provided to perform a bit-by-bit analysis to 
indicate the status of all output pins at one time. 

Claims 

1. A system, comprising; 

a pair of error checking processors con- 
nected in a master/slave configuration such 
that the slave receives inputs and outputs of 
the master, mimics operation of the master 
based on said inputs to produce mimicked 
outputs, compares said mimicked outputs with 
said master outputs and indicates an error 
condition if said mimicked outputs do not 
equal said master outputs: and 

checking means for forcing a difference 



between a mimicked output and a master out* 
put to check the operation of said processors. 

2. A system as claimed in claim 1 wherein said 
5 checking means comprises input means for 

receiving data input to said master and pass- 
ing said data to an input of said slave; and 
data alteration means for selectively altering 
said data tyeiore passing it to said slave so that 
10 the data input to said master and slave differ. 

3. A system as claimed in claim 1 wherein said 
data alteration means alters one bit of said 
data. 

75 

4. A system as claimed in claim 3 wherein said 
one bit is a least significant bit. 

5. A system as claimed In claim 1 wherein said 
20 checking means comprises a circuit for moni- 
toring said error condition. 

6. A system as claimed in claim 1 wherein said 
checking means comprises a circuit having a 

25 control field register, an address field register 

and a data field register to store expected 
outputs of said master processor. 

7. A system as claimed in claim 6 wherein said 
30 circuit includes comparators for comparing 

contents of said control field, address field and 
data field registers with outputs of said master 
processor and indicating a match. 

35 8. A system as claimed in claim 6 including 
means for selectively causing said difference 
between a master output and a mimicked out- 
put to appear on a control field output, an 
address field output and a data field output. 

9. A system as claimed in claim 8 wherein said 
data alteration means alters one bit and Includ- 
ing means for shifting the position of said one 
bit to selectively cause said difference to ap- 

45 pear one bit at a time In said control field 

output, said address field output and said data 
field output. 

10. A system as claimed in claim 7 wherein said 
50 circuit includes means responsive to said com- 
parators indicating a match for sensing a state 
of a master slave error output of said slave 
processor and indicating proper operation if 
said master slave error output indicates an 

55 error. 

11. A method, comprising: 

operating a pair of error checking proces- 
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sors in a master/slave configuration such that 
the slave receives inputs and outputs of the 
master, mimics operation of the master based 
on said inputs to produce mimicked outputs, 
compares said mimicked outputs with said 5 
master outputs and indicates an error condition 
if said mimicked outputs do not equal said 
master outputs; and 

forcing a difference between a mimicked 
output and a master output to check the opera- io 
tion of said processors. 

12. A method as claimed In claim 1 1 wherein said 
step of altering comprises receiving data Input 

to said master and passing said data to an is 
input of said slave; and selectively altering said 
data before passing it to said slave so that the 
data input to said master and slave differ. 

13. A method as claimed in claim 12 wherein said 20 
step of altering comprises altering one bit of 

said data. 
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® The system comprises a pair of error checking 
processors connected in a master/slave configuration 
such that the slave receives inputs and outputs of 
the master, mimics operation of the master based on 
the inputs to produce mimicked outputs, compares 
the mimicked outputs with the master outputs and 
indicates an error condition if the mimicked outputs 
do not equal the master outputs. A checking circuit 
forces a difference between the mimicked output 
and the master output and determines if the master 
slave configuration accurately determines the pres- 
ence of the forced error. 
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